Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1079
Views
0
Helpful
2
Replies

Cisco ISE Guest configuration for DNS

Go to solution
Aqi Shah
Level 1
Level 1

‎11-04-2019 07:23 AM

Dear All,

we are facing issue related to guest access right now customer have there seprate network seprate vlan which is connected fw and DHCP scope is defined on firewall when user comes in it connect to internet get ip form internet and without connected.

 

we configure self registerd guest access and reciving attached error DNS is not resolving portal because we have made entries on Local DNS

 

Is there any posibility so we can made it simple thanks for your suggestions.

Preview file
65 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JohnNewman7082
Level 1
Level 1

‎11-04-2019 08:29 AM

Hi Aqeel,

  From your explanation, I assume that the guest clients simply are not getting a DNS response for your ISE servers due to the network design.  There are a few options here, but each have their own caveat.

 

1. Use a static URL for ISE

   Policy > Policy Elements > Results,  click your redirect.  Check the check box for static URL.

Here, you can setup either DNS that is resolvable or an IP address.   The issue with using a static DNS entry, it breaks redundancy. 

There are ways to get around this, which we can go into if needed, but too much for right now.

 

If you use the IP address, the same issue with redundancy comes in, but you also are going to start facing certificate issues because you can not get a 3rd party cert for a private IP.

 

2. open a hole for your guests to hit your internal DNS server.  This way they can get a proper response.

 

3. Create a DNS server just for the guest environment.

 

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
JohnNewman7082
Level 1
Level 1

‎11-04-2019 08:29 AM

Hi Aqeel,

  From your explanation, I assume that the guest clients simply are not getting a DNS response for your ISE servers due to the network design.  There are a few options here, but each have their own caveat.

 

1. Use a static URL for ISE

   Policy > Policy Elements > Results,  click your redirect.  Check the check box for static URL.

Here, you can setup either DNS that is resolvable or an IP address.   The issue with using a static DNS entry, it breaks redundancy. 

There are ways to get around this, which we can go into if needed, but too much for right now.

 

If you use the IP address, the same issue with redundancy comes in, but you also are going to start facing certificate issues because you can not get a 3rd party cert for a private IP.

 

2. open a hole for your guests to hit your internal DNS server.  This way they can get a proper response.

 

3. Create a DNS server just for the guest environment.

 

 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎11-08-2019 10:10 AM

It's best to troubleshoot and find out why DNS not resolving correctly.

I agreed with JohnNewman7082's points 2 and 3. I think point 1 should only be used during troubleshooting.

0 Helpful
Customers Also Viewed These Support Documents